Posted
by
kdawson
on Friday July 16, 2010 @11:45AM
from the doing-well-by-doing-good dept.

Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

I admit I don't know much about it, but I don't get the impression that TeX support as much of a moving target as Web browser security/UI/standards/etc. What massive changes has LaTeX needed to undergo these last few years in order to stay relevant? Mozilla has improved their Acid3 support, deal with security vulnerabilities that will never apply to LaTeX, added Theora support for the <video> tag, they're probably working on the rest of HTML5, they're changing to a Chrome-like UI, they're overhauling

Precisely. $3000 is of course more than $500, and Google certainly could afford more... although, on the other hand, Google has way more products to find bugs in, etc. Anyways, the whiff of "entitlement" in that statement seems strong to me.

What entitlement? Finding these major exploits are not easy and can easily take weeks or months or work to uncover. To think that $500 is a sufficient payment to recompense them for their work is a joke. Especially when they can get anywhere from 10 to 100 times that by selling these exploits to the black market.

Except that the people who will mostly be discovering these bugs and exploits are not students. They are going to be professionals that can get upwards of $10,000+ depending on the severity of the exploit they find.

He may use source code if it's available, which it isn't for IE which has has found exploits in, once he's found something by after doing the fuzzing but I can assure you he doesn't just stare at the source code and go "AHA! A BUFFER OVERFLOW!!".

If the source is available, they'll also read through it. It's quite possible that they'll notice something someone else didn't especially if 1) they didn't write the code and 2) they know the kinds of things they are looking for. When code is not available a common step is to disassemble the code and to start to reverse engineer it.

Automatic fuzzers and exploit testers seldom provide results as 1) vendors can and generally do run such tests themselves and 2) they only test for the particular cases they are

No, Charlie Miller talks about much larger payouts from MS. He said, "I was shocked when I saw someone sign up to go after IE 8. You can get paid a lot more than $5,000 for one of those bugs. I’ve talked to a lot of smart, knowledgeable people and no one knows exactly how he did it. He could easily get $50,000 for that vulnerability. I’d say $50,000 is a low-end price point." here [zdnet.com].

while you can make an argument that you are technically correct, "upwards of $10,000" is pretty misleading, "less than $5000" would be a better figure.

Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that

I think "insulting" is code for "the market value of this vulnerability is much higher. I'd rather sell it to buyer other than Mozilla." In other words, most ethics are based in economics. Its easy to do good when there's money involved in doing so.

No, but they are more likely to let mozilla know about the exploit than stick it into the blackmarket, the fact that if they find something that gains access to mozilla's employee database or somesuch they may still screw with it, that's something else entirely.

No, I think the $500 offered by google is insulting because it's like offering some $10 to clean your house when it would cost them more than that to drive there. Interestingly, people don't seem to mind that much when the price is like $1 million, i.e. DARPA has given prizes of this size and the winner has spent six times that (not to mention all the looser) but I think if DARPA didn't want to offer the $1 million, they would be better off offering nothing than, i.e. $50, because the nothing suggests that

If you work on something you usually like to get paid. It's considered insulting to pay just 500$ for a bug simply because you can get a much higher paycheck if you sell it on the black market. So, if you're into security research to make money, 500$ is an insult to people's time.

Donald Knuth used to pay $2.56 per bug found in his programming books, the recognition was more valuable than the amount and most people would frame the checks and never cash, as a matter of pride "I was recognized."So getting a acknowledgment of finding a bug +value, getting significant money as well ++ value. Not worrying about selling your bug to people who might kill you if they think you screwed them or turned them in, and not worrying if the FBI, etc will throw you in jail for breaking laws... pric

Finding a bug in a book is a matter of reading, proof reading and testing every example on the book to see if it works well. You could say it's an exact science because you can simply define a couple rules and follow them until you find a small mistake.

Finding a bug on a software isn't that simple. For starters there are millions of lines of code and unlike books a single line can affect millions of other line's logic paths/assumptions/etc. There is no single method you can apply to find a bug and that's wh

Finding a bug on a software isn't that simple. For starters there are millions of lines of code

That is likely true for fixing a bug. No where did it say you had to find the line of code, that causes the issue. But finding a bug in software, when you have the software, and say it was free software so anyone could use it... Then the difficulty in finding a bug could be as simple as downloading a copy of Mozilla and using it.Similar to this security issue bounty, his bounty wasn't for grammer, it was for finding a significant issue. Most likely this $500 gives enough incentive to pay for the time sp

That's true if you're the casual finder, but not if you live of security research.

I do know it isn't as simple as looking at the code and sometimes you don't even do that, the point was that finding a bug on something as widely tested and used and a browser isn't as simple as proof-reading a book.

He still does, (figuratively, anyway, it's now a hall of fame on his website). He did it for TeX too, the key is his pricing scheme with TeX was such that the next bug would be exponentially more expensive, as that way as there were less bugs left to find so he payed more for finding them. However as TeX is now in several different implementations that aren't maintained by Knuth, he nolonger needs to worry about the TeX ones.

Mozilla also announced that the criteria for 'security bugs' require an attack vector that completely compromises the system from a remote location without internet connection. All other bugs are not treated as 'security' bugs, but rather: 'unwanted features', the bounty for this is of course limited to a 'quit complaining, you got it for free' letter.

OK, here are the actual criteria, fresh from TFA:

Security bug must be original and previously unreported.

Security bug must be a remote exploit.

Security bug is present in the most recent supported, beta or release candidate version of Firefox, Thunderbird, Firefox Mobile, or in Mozilla services which could compromise users of those products, as released by Mozilla Corporation or Mozilla Messaging./li>

Security bugs in or caused by additional 3rd-party software (e.g. plugins, extensions) are excluded from the Bug Bounty program.

The/. editors have infinite mod points and can add more than 1 to a comment. Usually when I see a way out of bounds mod like this that then gets corrected back to reality I wonder if the editor was just being a tool. But since we can't see editor mods separately so you never do know, maybe early birds are just different moderators than late comers.

It worked for him; the cheque from him was worth far more than the value printed on it. I think that offering rewards for disclosure can only lead to better code. Microsoft hasn't yet implemented this method as they would rapidly go broke.

As an example, text box input of Firefox used to have some bad bugs I never did track down, though I tried. After much editing and jumping about in the text box, sometimes using backspace would erase the wrong character. Would remove a character at the end of a line several lines above the cursor. Tried to recreate the bug with sequences of keystrokes I guessed might cause it, but no luck. I thought of buying a keylogger so I could capture the keystrokes the next time it happened. But that was getting t

That video explains why giving a low amount such as $500 is counterproductive. Paying a fair amount of money for security research is compensating people for the time and effort for finding and reporting the bug. As an example from the video, it's like giving someone $50, a fair amount, to change your tire instead of $1, which is an insulting amount.

I think it does further the mission. Giving $3000 per security bug is not counterproductive because security researchers do not have a social contract with Mozilla. Mozilla will not give us a ride to work if our car breaks down. Mozilla giving $3000 for a security bug is not like giving your mother-in-law money for Thanksgiving dinner for this reason.

Dan is talking about paying money as a routine, like a salary. The security exploit pay is like a reward, you don't get paid for the effort, anybody can make the effort but only 1% of the people who would try are capable of finding a real security hole. The effect doesn't apply.

I don't see how that applies in this situation, either. Mozilla is not paying people to specifically look for security problems in Firefox. The security researchers do whatever they want -- they're autonomous, doing the research they want to do for their own motivation. If during their work they happen to find a bug in Mozilla, this makes it easy for them to do the right thing and report the problem to Mozilla first, before someone else finds the problem.

This isn't money for finding bugs. This is money for, once you have found a bug, reporting it to Mozilla as opposed to selling it on the black market or just posting it on your blog so as to 0-day users.

That is, the assumption is that people are looking for bugs and are perhaps finding them. The bounty is to convince them to do things _after_ that in a way that does minimal harm to Mozilla's user.

I need to sign up to work on Mozilla products!
Boss: "Our goal is to write bug free software. I'll pay a ten-dollar bonus for every bug you find and fix. I hope this drives the right behavior."
Wally: "I'm gonna write me a new minivan this afternoon!"

This is the exact reason for the disqualification criterion for the bug bounty [mozilla.com]

In concert with those changes, we are also updating the eligibility language to make it clear that Mozilla reserves the right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.

Microsoft would never do this they would get hackered apart worse then they do now with virus and spyware problems. There PR department would be out of control busy. Plus Microsoft patch team would have to be doubled in staff. Patch Tuesday would be every Tuesday.